Société Générale breach report released

Dark Reading has reposted the findings of the breach report, highlighting faults:

Key points in the study lay blame at the feet of Kerviel’s supervisors. “The direct supervisor lacked trading experience and was not given a sufficient degree of support in his new role,” the report says. Neither the supervisor or the manager above him took the time to adequately review Kerviel’s trades or benchmark Kerviel’s falsified reports against the company’s actual financial positions, the investigators say.

Kerviel’s actions also revealed some significant flaws in the company’s trading control systems, which did not immediately identify the fraud, the report says. For example, the company’s IT systems did not grow in a fashion that was consistent with the “very strong growth” in transaction volumes in Kerviel’s equities division, it says.

I’m not sure what that really means, but I think they are saying that IT was not funded sufficiently to handle the risk. That sounds like if they had spent a bit more on security and controls within the organization, they could have avoided some of the $7 billion. Wow. Imagine the possibilities for control systems if they had spent just $100 million. The magic number for security spend of best-performing companies now seems to be 12%. If your company is spending less, and especially if it is spending under 10%, you probably want to read the report.